AI-Assisted Cybercrime: Japanese High School Students Hack Rakuten Mobile with ChatGPT

Japanese authorities recently arrested three teenagers aged 14-16 for allegedly using ChatGPT to develop software that illegally accessed Rakuten Mobile’s systems. The students registered over 100 eSIM phone numbers which they later resold for profit, amassing approximately 7.5 million yen (about $50,000 USD) through their scheme. The trio now faces charges of violating Japan’s Unauthorized Computer Access Law and computer fraud statutes.

How Minors Exploited AI for Cybercrime

The suspects include a 15-year-old middle school student from Shiga Prefecture, a 16-year-old high school freshman from Gifu Prefecture, and a 14-year-old middle school student from Tokyo. The three initially met through online gaming and coordinated their activities via Telegram, where they purchased over 30 billion sets of Rakuten Mobile customer account credentials.

Using these stolen credentials, the teens leveraged ChatGPT to develop automated scripts that successfully logged into Rakuten Mobile’s systems approximately 220,000 times. This allowed them to register numerous eSIM cards which they subsequently resold on the black market.

According to the Nikkei newspaper, the teenagers specifically targeted Rakuten Mobile due to its relatively lax identity verification protocols. The telecommunications provider allowed a single account to register up to 15 phone numbers without requiring additional documentation—significantly more than competitors, which typically cap registrations at five numbers per account.

Organized Criminal Operation

Police investigations revealed a sophisticated operation with clear role distribution among the three minors. The high school student was primarily responsible for developing the software, while the two middle school students handled the sales of the illegally obtained eSIMs. The group collected payments predominantly in cryptocurrency, amassing profits of around 7.5 million yen.

Beyond the eSIM scheme, the teenagers also engaged in credit card fraud, generating an additional 3.5 million yen in illegal profits. Social media user YASYA_STEEL commented on X (formerly Twitter): “Rakuten Mobile will likely pursue compensation from them, casting a dark shadow over their future prospects.”

Implications and Future Security Measures

This case exposes significant vulnerabilities in Rakuten Mobile’s security systems, which will likely prompt the company to implement more stringent identity verification mechanisms. Rakuten Mobile, established in 2019 as Japan’s fourth major mobile carrier, has positioned itself as a low-cost alternative with digital-first services—a strategy that may have inadvertently created these security gaps.

Japanese law enforcement agencies are expected to enhance monitoring of cybercrime among minors in response to this incident. As artificial intelligence tools like ChatGPT become increasingly accessible, similar cases may become more prevalent, pushing government agencies and corporations to collaborate on developing stricter cybersecurity regulations.

The case highlights the double-edged nature of AI technology—while offering tremendous benefits across industries, it simultaneously provides new tools for those with criminal intent. Educational institutions across Japan may now face increased pressure to incorporate ethical technology use into their curricula to prevent similar incidents in the future.